Windows Thread, Split-Site School - What's the best way to set up the network? in Technical; Hi,
We are a split site school (primary school and secondary school - 10k distance). There is a VPN link ...
10th October 2008, 08:21 AM #1
Split-Site School - What's the best way to set up the network?
We are a split site school (primary school and secondary school - 10k distance). There is a VPN link (leased line) connection between the two for SIMS and the connection to the internet at the secondary site. The link is not fantastically fast or reliable (we're overseas). Currently, there are a number of domains on each site. This causes problems with duplicating work, and some (admin, mainly) staff work on both sites.
So it would be better to have one domain.
I understand that this is possible with active directory sites. Do we just have a subnet for each site then use that?
Replication - is it bandwidth hungry?
What happens when the link is down? Can we make it so that most services are replicated across each site?
What happens when the link returns? Will windows figure everything out? (How clever is it? Hypothetically: if a user has changed their password at each site while the link is down, how does it know which to use?)
Does it actually work?!
Any help will be appreciated. I need to convince the new network manager that this is better than having all domain controllers at secondary, then a separate subdomain at primary which users can select if the link goes down
10th October 2008, 08:40 AM #2
Also, NM wants to put a firewall between the sites? I'm not entirely sure why... I think it might be to stop viruses spreading between the sites or something. Is there logic in this? Or will we have to open up so many ports for the replication that it's not worth doing.
10th October 2008, 08:44 AM #3
You can change settings in AD for replication over slow links etc.
How to optimize Active Directory replication in a large network
For some more info on it.
10th October 2008, 08:47 AM #4
You have opened a whole new kettle of fish in regards to AD replicating between firewalls - happy reading !!
Active Directory Replication over Firewalls
10th October 2008, 09:34 AM #5
I would think that you would want a server at each end so that all of the authentication is local to the site. AD sites and services can be used to setup multiple sites and sort out replication. Replication can be quite bandwidth heavy if there are lots of changes and initially. The clients will request and respond to the closest controller which could be specified in ad. Dividing up the subnets properly and firewalling will stop any authentication and unnecessary traffic from flowing over the slow link.
AD is pretty reasonable when it comes to replication and working things out, it will attempt on to converge the data fully at each replication interval which I think is around 120 minutes. AD will start to complain if it cannot replicate for two to three days depending on configuration which starts to cause issues.
If the user changes a password while the link is down at the remote site the local AD server will keep this change in its AD database and replicate it when it next can. If the user attempts to logon at the remote site they will have the new password but if the drive to the old site before the change has replicated it will be the old one.
In general it will take 5 - 10 minutes to replicate it if the link is up but if you are dealing with file shares and stuff this interval will not matter as the authentication and kerberos ticket are picked up from the local server and then used on the main network.
10th October 2008, 09:35 AM #6
To answer your broad questions: yes, it works, and it works well, and it sorts everything out. But it is no simple thing to set up, be prepared to spend probably a year on the transition. It's a very time-consuming process.
Introducing a firewall is a whole other kettle of fish though.
10th October 2008, 09:55 AM #7
Why is it so complicated? The Microsoft article seems to make it sound fairly simple! What sorts of problems occurred?
Originally Posted by powdarrmonkey
10th October 2008, 10:00 AM #8
Personally i would go on one domain. How much money (if any) would you have to spend for the connection between the schools.
You could have a fibre connection between the school and use the internet connection just at one school. All internet traffic will go down the fibre connection.
Fibre is expensive but is faster and more reliable.
10th October 2008, 10:08 AM #9
I would consider terminal services with the fibre option
10th October 2008, 10:28 AM #10
I think we've got fastest option we can get/afford... I'm in Malaysia, you kinda have to take what you can get! Fibre is expensive but is faster and more reliable.
10th October 2008, 11:55 AM #11
It's not so much complicated as time-consuming, particularly if it doesn't work quite how you expected. All I'm saying is don't rush into it.
Originally Posted by eean
13th October 2008, 01:54 AM #12
What roles (e.g. Operations master etc...) need to be replicated on each site to ensure that if the link goes down both sites remain functional? Or does the Sites setting itself sort this out?
What about DNS? Obviously needed on each site, but how do you set them up? Is one a backup to the main?
13th October 2008, 02:03 AM #13
If you make both DCís a global catalogue if one DC goes down the network should run.
Originally Posted by eean
As for DNS, have a DHCP server on each site and configure the DHCP so it points to your DNS that is on site as primary. If you only have one DNS server on each site make the secondary the one on the other site. Do the ordering the opposite way round on the other site
13th October 2008, 02:27 AM #14
Yikes! I've just discovered that our WAN link is a 1MB PTP VPN. Our new NM wanted to have all the domain controllers at the secondary site and for primary to authenticate over that!
13th October 2008, 02:39 AM #15
Will the changes replicate to each other?
Originally Posted by FN-GM
By alonebfg in forum Wireless Networks
Last Post: 6th November 2008, 02:13 PM
By DaveP in forum Educational IT Jobs
Last Post: 20th September 2008, 05:55 PM
By Andy_A in forum How do you do....it?
Last Post: 9th May 2008, 11:29 AM
By Halfmad in forum Network and Classroom Management
Last Post: 6th June 2007, 10:00 AM
By lee_sri in forum Wireless Networks
Last Post: 2nd February 2006, 08:39 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)